path: root/networking
diff options
authorbnewbold <>2012-06-05 21:07:10 -0400
committerbnewbold <>2012-06-05 21:07:10 -0400
commitaf6b57370f37d6bf2cff0164569fe1d88e4ae70b (patch)
tree6537e5d7bb7f6848d18cb1f75b1f65ca4159b2c7 /networking
parent933ed9a711197da23f7996d6e85678e32f24c64b (diff)
crude ipv6 tunnel via openvpn
Diffstat (limited to 'networking')
1 files changed, 150 insertions, 0 deletions
diff --git a/networking/ b/networking/
new file mode 100644
index 0000000..4aef252
--- /dev/null
+++ b/networking/
@@ -0,0 +1,150 @@
+Warning: the method described below is almost certainly massive overkill;
+OpenVPN can probably be configured to tunnel IPv6 bi-directionally in other
+# Instructions for properly configuring OpenVPN credentials
+## VPS Host-side
+(based off
+[](linode library)
+instructions, but heavily modified)
+On the remote host (runing debian wheezy), as root:
+ apt-get install openvpn udev
+ cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
+ cd /etc/openvpn/easy-rsa/2.0/keys/
+ # edit vars file, set COUNTRY PROVINCE CITY ORG EMAIL defaults
+ . vars
+ . clean-all
+ . build-ca # override any defaults if you want
+ . build-key-server $YOURSERVERNAME
+ . build-key $YOURSITENAME
+ . build-dh
+ cd keys
+ cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn
+Then copy the following to /etc/openvpn/server.conf:
+ # simple machine-machine OpenVPN config file
+ port 1194
+ proto udp
+ dev tun
+ tun-ipv6
+Add openvpn to the default service group and bring up the daemon:
+ update-rc.d openvpn defaults
+ /etc/init.d/openvpn stop
+ /etc/init.d/openvpn start
+The tun0 interface comes up "bare" and not active by default; the following
+should be added to a post-init script, but for now just run it by hand:
+ ip link set tun0 up
+ ip addr add fec0::1/96 dev tun0
+ ip route add $SITE_PREFIX::/64 via fec0::2 dev tun0
+## On-site OpenWRT router
+You'll need to have the certificates generated above available locally.
+Parts of this are much easier to accomplish through the command line...
+Configure any radios or other network interfaces first so those firewall rules
+are set up.
+On an OpenWRT router, first install all required IPv6 packages (luci-app-radvd,
+ip, ip6tables), as well as OpenVPN (luci-app-openvpn):
+ opkg update
+ opkg install luci-app-radvd ip ip6tables luci-app-openvpn
+Configure radvd with the site's /64 prefix, and enable on the LAN interface.
+Configure OpenVPN; easiest to copy-paste the following to /etc/config/openvpn
+and scp credentials to /etc/openvpn:
+ package openvpn
+ config openvpn site_client
+ option enable 1
+ option client 0
+ option dev tun
+ option tun_ipv6 1
+ option proto udp
+ list remote "$VPSHOST 1194"
+ option resolv_retry infinite
+ option nobind 1
+ option persist_key 1
+ option persist_tun 1
+ option tls_client 1
+ option ca /etc/openvpn/ca.crt
+ option cert /etc/openvpn/woods.crt
+ option key /etc/openvpn/woods.key
+ option verb 3
+ option mute 20
+ option comp_lzo 1
+Select "start" in the web interface; for whatever reason this always results in
+a new configuration being generated, just ignore it. If the status doesn't
+change to running, check the system logs (front page, "System Log" sub-tab).
+Go to "Network" tab of web interface and create new "wan6" interface with the
+"tun0" OpenVPN adapter selected. Set the IPv6 address to fec0::2 and the IPv6
+gateway to fec0:;1. Go to "Firewall Settings" and create a new wan6 firewall
+On the radvd tab, set the prefix to the site-specific prefix; enable and keep
+the lan interface. Enable the lan interface on the top level radvd page also.
+To allow unrestricted IPv6 inbound traffic and block outbound IPv4 (but allow
+IPv4 connections to the router... imporant!), go to the "Firewall" subtab, edit
+the "lan" zone, and allow forwarding to wan6 only as both source and
+For IPv6 web ui access, add a static IPv6 address to the LAN interface:
+$SITEPREFIX::1/64 makes sense. (TODO: does this work?)
+Restart the whole kit-and-kaboodle, re-enable openvpn, and see if things work!
+If it doesn't, try watching syslog on both ends while attempting pings, and
+inspect the addresses and routing tables with ``ip -6 route`` and ``ifconfig``.
+# Lazy plaintext no-config Method (raw, for historical reference)
+ sysctl -w net.ipv6.conf.all.forwarding=1
+ # not sure why this is required...
+ ip -6 route add default via fe80::1 dev eth0
+ openvpn --dev tun --tun-ipv6 --daemon
+ # wait...
+ ip link set tun0 up
+ ip addr add fec0::1/96 dev tun0
+ ip route add $SITEPREFIX::/64 via fec0::2 dev tun0
+On router:
+ # install all required packages
+ sysctl -w net.ipv6.conf.all.forwarding=1
+ openvpn --remote $VPSHOST --dev tun --tun-ipv6 --daemon
+ # wait...
+ ip link set tun0 up
+ ip addr add fec0::2/96 dev tun0
+ ip route add default via fec0::1 dev tun0
+ # edit /etc/config/radvd
+ ip addr add $SITEPREFIX::/64 dev br-lan
+The lazy trick was to just use the OpenWRT LuCi interface and set up a wan6
+firewall interface (enclosing tun0) instead of trying to do everything with the
+``ip`` command.